[CLSA-2026:1783603500] alt-nodejs14-nodejs: Fix of 3 CVEs
Type:
security
Severity:
Critical
Release date:
2026-07-09 17:04:36 UTC
Description:
- CVE-2026-48930: dns,net: reject hostnames with embedded NUL bytes to prevent silent authority rebinding via C-string truncation in the resolver bindings (backport of nodejs/node@7dafafa2 adapted to 14.21.3: validateStringWithoutNullBytes) - CVE-2026-48619: http2: cap the client-side originSet size (default 128) so a malicious server can no longer cause unbounded memory growth via ORIGIN frames (backport of nodejs/node@c79968e1) - CVE-2026-48933: crypto: guard the cipher output-length computation against signed-int overflow in the legacy CipherBase::Update path in src/node_crypto.cc (Node 14 has no WebCrypto; adapted INT_MAX guard from nodejs/node@98fbc892)
Updated packages:
  • alt-nodejs14-nodejs-14.21.3-24.el10.x86_64.rpm
    sha:47d0f3978d6853e1c36f5534c4d543ee461f0af94238b2795b923aaf04f94c83
  • alt-nodejs14-nodejs-devel-14.21.3-24.el10.x86_64.rpm
    sha:ff0eeac25df0900ead8df348849c0646fcaa98294b63121d34d4ded6d16b2296
  • alt-nodejs14-nodejs-docs-14.21.3-24.el10.noarch.rpm
    sha:c9c835df858dc79f59a6033b29e69670517031b0f282d661abaa7e0d3b5e0b3a
  • alt-nodejs14-npm-6.14.18-14.21.3.24.el10.x86_64.rpm
    sha:0083c684b5c7f6c1b18360838faf5eb57c0426c170665d73707f2e43964b4dc7
Notes:
This page is generated automatically and has not been checked for errors. For clarification or corrections please contact the CloudLinux Packaging Team.